India’s data privacy shift: Steering the DPDP compliance and readiness

The EY report India’s digital privacy crossroads: Understanding the DPDP Act’s impact and enterprise readiness shows that while momentum toward compliance is building, readiness remains uneven. A survey of more than 150 professionals across sectors shows that close to 70% of respondents are not very familiar with the DPDP Act and Rules, signaling that knowledge gaps extend even to leadership teams. Sectors with established regulatory exposure and good governance, such as financial services, e‑commerce and technology services, display stronger awareness. In comparison, healthcare, metals, education, manufacturing, infrastructure and shipping continue to face challenges rooted in fragmented data environments and legacy systems.
 

Within organizations, understanding of the DPDP Act and Rules is highest among legal, risk, cybersecurity and technology functions. Business operations, HR, finance and manufacturing teams, despite working closely with personal data, show lower levels of familiarity. This imbalance highlights the need for broader organizational awareness and shared responsibility for compliance.
 

Progress on readiness varies. According to the survey:

• Nearly 48% of organizations have initiated gap assessments
• Nealy 44% of organizations have documented data processing activities
• Close to 38% have categorized personal data and identified third‑party processors
• Nearly 81% have not updated or drafted DPDP‑aligned privacy policies or governance frameworks
• More than 83% have not begun comprehensive implementation of the Act’s requirements

The survey also identifies key challenges. Nearly 70% find the Act difficult to interpret while 45.3% face budget limitations. Approximately 77% are not equipped to adopt privacy technologies such as consent management, data discovery or rights fulfilment tools. Similarly, 76.4% cite limited access to subject‑matter expertise, and 58.8% struggle with cross‑border data transfer complexities.
 

Sectoral progress is similarly uneven. Consumer, retail and e‑commerce organizations lead with 50% having initiated their compliance journey. Technology services follow at 38.8%, and financial services at 34.7%. Metals, mining and energy show slower uptake at 20%, while healthcare and life sciences have the lowest momentum with only 9.9% initiating steps.
 

Compliance maturity across India Inc. is largely in the early to intermediate stage. While foundational controls are in place, advanced practices such as real‑time monitoring, data masking, access governance and mechanisms for children’s data protection remain limited. Even sectors considered more mature are still refining their strategies, while emerging sectors face constraints related to internal clarity and resources.
 

As organizations prepare for full implementation, several actions will be critical:

• Appointing a data protection function
• Conducting a thorough gap assessment
• Mapping and classifying personal data, including vendor and cross‑border flows
• Updating data protection policies and procedures
• Establishing consent‑management and rights‑enablement processes
• Implementing accessible grievance redressal systems
• Conducting breach simulation exercises and privacy audits
• Implementing reasonable data protection safeguards